Re: [sleuthkit-users] Image details ...
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Image details ...
|
From: Grundy B. J T. <Bar...@ti...> - 2010-05-19 16:00:07
|
I don't use Autopsy (only Sleuthkit), but unless something rather drastic has changed, Autopsy does NOT "mount" the image. The information is collected by the various TSK tools and presented in the Autopsy interface. There is no mount point. One way to get the sizes of the partitions is to use "mmls" (or sfdisk, etc.) on the images on the command line and calculate the size of each partition using the number of HW sectors in each. If you want to mount the split images to use CLI tools, you can either do a linear raid (not recommended) or you can use something like affuse (from afflib) then loopmount the partitions in the resulting raw image, which works quite well . Barry /******************************************* Barry J. Grundy Assistant Special Agent in Charge Computer Investigative Support Program Strategic Enforcement Division Treasury Inspector General for Tax Administration (301) 210-8741 (w) (202) 527-5778 (c) Bar...@ti... ********************************************\ ________________________________________ From: s s [mailto:ed...@gm...] Sent: Wednesday, May 19, 2010 11:17 AM To: sle...@li... Subject: [sleuthkit-users] Image details ... Hey all, I'm a kind of newbie using Sleuthkit with autopsy graphical interface. This software is making me mad, it is so powerful BUT ... ... I can see a lot of options concerning Inode, cluster, block size, everything, ... BUT I NOLY WANT ONE THING : How may i able to get information about size of the disk or the partition i'm working on ??? Example : I successfully mount a split image disk (Img.001 to img.040) on the interface. It shows me 2 partitions (windows) C: and D: . I can browse on each. Questions : Where did sleuthkit mount these images? (if i want to use some command lines) And where may i have informations about these partitions, i mean precisely : C:/ is a 80 Gb partitions and had 50 Gb free D:/ is a 160 Gb partition and had 60 Gb free. Hope you understand my request, Cheers, |
